The wallet-stealing component monitors Windows’ clipboard, the hidden temporary memory used for copy-and-paste operations, roughly every 500 milliseconds. When a user copies a crypto wallet seed phrase or a private key for a Bitcoin or Ethereum wallet, the malware captures that data and sends it to the attacker’s server over the Tor network, an open-source overlay that provides anonymous communication. It also takes five screenshots, ten seconds apart, and sends those along too.
The risk doesn’t end there.
If a user copies a recipient address to send funds, the worm silently replaces it with an attacker-controlled address before the user pastes, so the transfer goes to the attacker without any visible cue.
Lastly, the worm propagates…
